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This paper presents a type theory with a form of equality reflection: provable equalities can be used 
to coerce the type of a term. Coercions and other annotations, including implicit arguments, are 
dropped during reduction of terms. We develop the metatheory for an undecidable version of the 
system with unannotated terms. We then devise a decidable system with annotated terms, justified in 
terms of the unannotated system. Finally, we show how the approach can be extended to account for 
large eliminations, using what we call quasi-implicit products. 

1 Introduction 

The main goal of this paper, as of several recent works, is to facilitate external reasoning about depen- 
dently typed programs This is hampered if one must reason about specificational data occurring 

in terms. Specificational data aie data which have no effect on the result of the computation, and are 
present in program text solely for verification purposes. In traditional formal methods, specification data 
are also sometimes called ghost data. For example, consider the familiar example of vectors (vec (j) I) 
indexed by both the type <p of the elements and the length / of the vector. An example dependently typed 
program is the append^ function (we work here with monomoiphic functions, but will elide type sub- 
scripts), operating on vectors holding data of type (p. We can define append so that it has the following 
type, assuming a standard definition of plus on unary natural numbers nat: 

append : YU\ : nat.n/2 : nat-ITvi : (vec l\).Y\v2 '■ (vec h)- (vec {plus h I2)) 

We might wish to prove that append is associative. In type theories such as COQ's Calculus of Inductive 
Constructions, we would do this by showing that the following type is inhabited: 

nil '■ nat.n/2 : nat.n/3 : nat.ITvi : (vec (p Zi).nv2 : (vec <p /2)-nv3 : (vec (j) I3). 

(append (plus h h) h {append h h v\ V2) V3) = {append l\ {plus h h) vi {append h h V2 V3)) 

Notice how the lengths of the vectors are cluttering even the statement of this theorem. Tools like COQ 
allow such arguments to be elided, when they can be uniquely reconstructed. So the theorem to prove 
can be written in the much more palatable form: 

n/i : nat.n/2 : nat.n/3 : nat.nvi : (vec /i).nv2 : (vec /2).nv3 : (vec l^). 
{append {append v\ V2) V3) = {append v\ {append vj V3)) 

This is much more readable. But as others have noted, while the indices have been elided, they are not 
truly erased. This means that the proof of associativity of append must make use of associativity also of 
plus, in order for the lengths of the two vectors (on the two sides of the equation) to be equal. Indeed, 
even stating this equation may require some care, since the types of the two sides ai^e not definitionally 
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equal: one has (plus [plus l\ I2) h) where the other has [plus l\ {plus I2 h)). This is where techniques 
like heterogeneous equality come into play Q. 

One solution to this problem is via intersection types, also called in this setting implicit products, 
as in the Implicit Calculus of Constructions HI. An implicit product Vx : 0.^' is the type for functions 
whose arguments are erased during conversion (cf. Sill). Such a type can also be viewed as an infinite 
intersection type, since its typing rule will assert F h f : V.t : 0.0' whenever r,x : h f : 0'. This rule 
formalizes (approximately) the idea that t is in the type Vx : 0.0' whenever it is in each instance of that 
type (i.e., each type [i^/x]0' for u : 0). Thus, membership in the V-type follows from membership in the 
instances of the body of the V-type, making the V-type an intersection of those instances. Note that this 
is an infinitary intersection, and thus different from the classical finitary intersection type of [14]. We note 
in passing that the current work includes first-class datatypes, while the other works just cited all rely on 
encodings of inductive data as lambda terms. 

We seek to take the previous approaches further, and erase not just arguments to functions typed with 
implicit products, but all annotations. This is not the case in the Implicit Calculus of Constructions, for 
example, or its algorithmic development ICC* ||2l, where typing annotations other than implicit argu- 
ments are not erased from terms. When testing jS -equivalence of terms, we will work with unannotated 
versions of those terms, where all type- and proof-annotations have been dropped. For associativity of 
append, the proof does not require associativity of plus. From the point of view of external reasoning, 
append on vectors will be indistinguishable from append on lists (without statically tracked length). 

The T^^° Type Theory. This paper studies versions of a type theory we call T^^^. This system is 
like Godel's System T, with vectors and explicit equality proofs. We first study an undecidable version 
of T^^^ with equality reflection, where terms are completely unannotated (Section |2ll. We establish 
standard meta-theoretic results for this unannotated system (Section [S]). We then devise a decidable 
annotated version of the language, which we also call T^^'^ (the context will determine whether the 
annotated or unannotated language is intended). The soundness of annotated T^'^'^ is justified by erasure 
to the unannotated system (Section UJl. We consider the associativity of append in annotated T^'^'^, as 
an example (Section |4~T]) . This approach of studying unannotated versus annotated versions of the type 
theory should be contrasted with the approach taken in NuPRL, based on Martin-Lof 's extensional type 
theory 131 HI. There, one constructs typing derivations, as separate artifacts, for unannotated terms. Here, 
we unite the typing derivation and the unannotated term in a single artifact, namely the annotated term. 

Large eliminations. Type-level computation poses challenges for our approach. Because coercions 
by equality proofs are erased from terms, if we naively extended the system with large eliminations 
(types defined by pattern matching on terms) we would be able to assign types to diverging or stuck 
terms. We propose a solution based on what we call quasi-implicit products. These effectively serve 
to mark the introduction and elimination of the intersection type, and prohibit call-by-value reduction 
within an introduction. This saves Normalization and Progress, which would otherwise fail. We develop 
the meta-theory of an extension of the unannotated system with large eliminations and call-by-value 
reduction, including normalization (Section [S]). 

The basic idea of basing provable equality on the operational semantics of unannotated terms has 
been implemented previously in the GURU dependently programming language, publicly available at 
|http : / / www . guru-lang . org|lfTOi . The current paper improves upon the work on Guru, by de- 
veloping and analyzing a formal theory embodying that idea (lacking in lITOl ). 
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(Xx.a) a' 

{Rnat a a' 0) 
{Rn.taa' {Sa")) 
(/?vec nil) 
(/?vec ^ ^' (cons £?! a")) 



{a' a" (/?nat « a")) 



Figure 1: Reduction semantics for unannotated T^^'^ terms 



2 Unannotated T 



The definition of unannotated T^^*^ uses unannotated terms a (we sometimes also write b): 

a ::= x \ {a a') \ Xx.a | | (5 a) | (/?nat ci a' a") | nil | (cons a a') \ (/?vec ^ '^") I join 

Here, x is for A-bound variables and S is for successor (not the S combinator). /?nat is the recursor 
over natural numbers, and /?vec is the recursor over vectors. We have constructors nil and cons for 
vectors. The term construct join is the introduction form for equality proofs. We will not need an 
elimination form, since our system includes a form of equality reflection. For readability, we sometimes 
use meta-variable / for terms a intended as lengths of vectors. Types are defined by: 



The first Il-type is as usual, while the second is an intersection type abstracting a specificational x. This 
X need not be A -abstracted in the coiTcsponding term, nor supplied as an argument when that term is 
applied, similaiiy to Miquel's implicit products [8j. 

The reduction relation is the compatible closure under arbitrary contexts of the rules in Figure [T] 
Figure |2] gives type assignment rules for T^^^, using a standai^d definition of typing contexts P. We 
define F Ok to mean that if F = ri,x : 0,r2, then Fy(^) C <iom(ri). We use t? J, a' to mean that a and d 
are joinable with respect to our reduction relation (i.e., there exists a such that a a and d a). 

Perhaps surprisingly we do not track well-formedness of types, and indeed the join and c on v rules 
can introduce untypable terms into types. However, they preserve the invariant that terms deemed equal 
are joinable, and that turns out to be enough to ensure type safety. 

Type assignment is not syntax-directed, due to the (conv) , (spec-abs) , and (spec-app) 
rules, and not obviously decidable. This will not pose a problem here as we study the meta-theoretic 
properties of the system. Section |4] defines a system of annotated terms which is obviously decidable, 
and justifies it by translation to unannotated T^'^^. We work up to syntactic identity modulo safe renaming 
of bound variables, which we denote =. 



rpvec ej^joys Standard properties: Type Preservation, Progress (for closed terms), and Strong Normaliza- 
tion. These are all easily obtained, the last by dependency-erasing translation to another type theory (as 
done originally for LF in ||5l). Here, we consider a more semantically informative approach to Strong 
Normalization. Omitted proofs may be found in a companion report on the second author's web page 
(see |http : / / www . cs . uiowa . edu/~astump/papers / ITRSlO-long . pdf| l. 

Theorem 1 (Type Preservation) Ifr\- a: (p and a a', then T\- a' : (p. 



<p ::= nat | (vec <p a) \ Ybc : <p.(})' \ ^x : (p .<p' \ a = a' 



3 Metatheory of Unannotated T 
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r{x) = ^ rok 

a I a' rOk 

T^i . . 7 join 

i h join : a = a 

r,A; : (/>' h a : .x 
rha:Vx:^'.^ 

r,;c : ^' \- a : <p 



r h Ajc.c? : Tlx : ^'.0 



abs 



rha"':a' = a" F h a : [a' /x](j) x^dom{T) 

rha:VA::0'.0 rha':0' 

spec-abs ^ , r , / i ^ ^ spec-app 

r h a : [a lx\<p 



conv 



rhO: nat 



zero 



r h g : nat 
r h (5 a) : nat 



succ 



rha : ^ 

rha' : (vec ^ /) 



r h (cons a a') : (vec (5 /)) 



cons 



rh (a a') : [a' /x\<^ 
TOk 



app 



rh nil : (vec 0) 



nil 



dom(r) 
r h a" : nat 
rha: [O/;c]0 

rha' iH);: nat.n^: [3;/x]^.[(5y)A]^ 
rh (/?nat aa' a") : [a" /x\^ 



Rnat 



X dom{T) 
rha": (vec0'/) 
rha : [0/j,nil/x](/> 

rha':nz:^(»'.V/:nat.nv: (vec0'/).nM: [//);, v/x]^. 
[(5 /)/3;,(cons z v)/x]^ 

r h (/?vec « a' a") : [//);, a'7x](^> 



Rvec 



Figure 2: Type assignment system for unannotated 
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Theorem 2 (Progress) IfFha:^ and domiT) r\FV{a) = 0, then either a is a value or 3a' .a ^ a'. 
Here a value is a term of the form 

V ::= Xx.a | | (S v) | nil \ {cons v v') \ join 

3.1 Semantics of equality 

For our Strong Normalization proof, a central issue is providing an interpretation for equality types in the 
presence of free variables. We would like to interpret equations like (plus 2 2) =4 (where the numerals 
abbreviate terms formed with S and as usual, and plus has a standai^d recursive definition), as simply 
(plus 2 2) J, 4. But when the two terms contain free variables - e.g., in (plus xy) = (plus y x) - or when 
the context is inconsistent, the semantics should make the equation true, even though its sides are not 
joinable. So our semantics for equality types is joinability under all ground instances of the context P. 
The notation for this is a -^r t?'. The definition must be given as part of the definition of the interpretation 
of types, because we want to stipulate that the substitutions a replace each variable ;c by a ground term 
in the interpretation of ar(x). When F is empty, we will write a a' as a ~ a'. We use a similar- 
convention for other notations subscripted by a context below. 

3.2 The interpretation of types 

The interpretation of types is given in Figure [3] In that figure, we write =^ and <^ for meta-level implica- 
tion and equivalence, respectively, and give lowest precedence among all infix symbols, and next 
lowest precedence. We stipulate up front (not in the clauses in the figure) that a G [[^]]r requires a G SN 
(where SN is the set of strongly normalizing terms) and F h a : 0. The definition in Figure [3] proceeds 
by well-founded recursion on the triple (\r\,d(<p),l(a)), in the natural lexicographic ordering. Here, |F| 
is the cardinality of dom(Y), and if a G SN, then we make use of a (finite) natural number 1(a) bounding 
the number of symbols in the normal form of a. We need to assume confluence of reduction elsewhere 
in this proof, so it does not weaken the result to assume here that each term has at most one normal form. 
While we believe confluence for this language should be easily established by standard methods, that 
proof remains to future work. The quantity d(<^) is the depth of 0, defined as follows: 

d(nat) = J((vec^/)) = l + d(^) 

d(Ux:(j).(j)') = l+max(d((j)),d((j)')) d(yx : (j).(j)') = I + max(d((j)),d((j)')) 

d(a = a') = 

Note that d((j)) = d([a/x]^) for all a, x, and ^. Also, in the clause for vec-types, since the right hand 
side of the clause conjoins the condition a G SN, 1(a) is defined, and we have I (a") < I (cons a' a"). The 
figure gives an inductive definition for when a G [[F]]a. We call such a a a closable substitution. 

In general, the inductive definition of closable substitution a G [[F]]a allows the range of the substi- 
tution to contain open terms. When A is empty, a is a closing substitution. The definition of [[•]] for 
types uses the definition of closable substitutions in a well-founded way. We appeal only to [[F]] (with an 
empty context A) in the definitions of [[0]]r and [[0]]^ . Where the definition of [[F]]a appeals back to the 
interpretation of types, it does so only when this F was non-empty, and with an empty context given for 
the interpretation of the type. So |F| has indeed decreased from one appeal to the interpretation of types 
to the next. 



Sjoberg and Stump 



95 



a € [[natjjr <^ 
a € [[(vec ^ /)]]r ^ 



a G [[Ihc : <p'4lr ^ 
a e []yx : <p'.<p]]r ^ 
a € [[ai = a2^r 



{a nil 
ya'.\/a".a 



/ '-r 0) A 
(cons a' a") 



Va'G[[f]] + .(««')G[[KA]0]]i 
Va'G[[0']]+.aG[[KA](^]]r 
(a --^* join =^ fli '--T fli) 



(/) a' G [[(^Er A 3/'. 

(//) a" G [[(vec /')]]r A 

(///) / ~r {S I') 



where : 

a ~r ^ Va. a G [[r]] =^ {oa) I [oa') 

a G Mr ^ « e [[(/)]]r A (|r| > ^ Va G [[r]]. aa G [[a(/>]]) 

and also : 

^G[[a.^]]+ aG [[r]]A 

0g[[-]]a aU{(x,a)}G [[r,^:0]]A 

Figure 3: The interpretation a G [[0]]r of strongly normalizing terms with Fl- a: (p 



3.3 Critical properties 

A term is defined to be neutral iff it is of the form {a a') or {Rb a a' a") (with B G {nat,vec}), or 
if it is a variable. We prove three critical properties of reducibility at type 0, by mutual induction on 
(|r|,(i(0),/(fl;)). Here we write next{a) = {a' \ a a'}. 

R-Pres. If a G [[(/)]]r, then next{a) C [[0]]r- 

R-Prog. If a is neutral and Y\- a: then next{a) C [[0]]r implies a G [[0]]r- 

R-Join. Suppose ~r a2;T\- a' :a\=a2 for some a'; and x ^ Joni(r). Then [[[^i /jc]^]]r C [[[<32/A:]^]]r. 

3.4 Soundness of typing with respect to the interpretation 

Our typing rules are sound with respect to our interpretation of types (Figure O. As usual, we must 
strengthen the statement of soundness for the induction to go through. We need a quasi-order C on 
contexts, defined by: A C F <J4> Vx G dom{A). A{x) = F(x). 

Theorem 3 (Soundness for Interpretations) Suppose F h a : ^. Then for any A Ok with A C F and 
a G [[F]]a, we have (aa) G ^O^a. 

Critically, we quantify over possibly open substitutions a, whose ranges consist of closable terms. 
Corollary 1 (Strong Normalization) lfT\- a: then a G SN. 
Corollary 2 IfT \- a: <p and T\- a' : (/)', then a la' is decidable. 
Corollary 3 (Equational Soundness) If -h a:bi = ^2. then b[ Ibi- 

Corollary 4 (Logical Soundness) There is a type ^ such that \- a: ^ does not hold for any a. 
Proof. By Equational Soundness, we do not have h a : = (5 0) for any a. 
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\x\ = X \{tt')\ = {\t\\t'\) 

\{tt'y\ = \t\ \Xx:(^.t\ = Xx.\t\ 

\X-x\(^.t\ = \t\ |0| = 

1(501 = {S\t\) I(nil0)| = nil 

|(cOnSff')| = (cons |?| |?'|) \{Rnat ^4 t t' t")\ = (/?nat kl k'l k"|) 

\{R^^^x.y.^tt' t")\ = (/?vec kl k'l k"l) l(join??')l = join 

\{cast x4 1 1')\ = \t'\ 



Figure 4: Translation from annotated terms to unannotated terms 



4 Annotated T''^^ 

We now define a system of annotated terms t, and a decidable type computation system deriving judg- 
ments r Ih ? : 0, justified by dropping annotations via | • | (defined in Figure |4l). The annotated terms t are 
the following. Annotations include types 0, possibly with designated free variables, as inx.^ (bound by 
the dot notation). 

t ::= x\{tt')\{tt')- \Xx:^.t\X-x:^.t\Q\{St)\{R^^^x4tt' t") 

I (nil 0) I (cons 1 1') \ {Rvec x.y4 1 1' t") \ (join 1 1') \ (cast x4 1 1') 

Three new constructs correspond to the typing rules (spec-abs), { spec-app) , and (conv) of 
Figure [21 X^x : {t t')^ and (cast x.0 t t'). Figure |5] gives syntax-directed type-computation 

rules, which constitute a deterministic algorithm for computing a type ^ as output from a context T and 
annotated term t as inputs. Several rules use the | • | function, since types (as defined in Section [2] 
above) may mention only unannotated terms. 

Theorem 4 (Algorithmic Typing) Given T and a, we can, in an effective way, either find ^ such that 
T\\- a : (f), or else report that there is no such (f). 

This follows in a standard way from inspection of the rules, using Corollary |2] for the join-rule. 
Theorem 5 (Soundness for Type Assignment) IfT \\- t : ^ then r\- \t\: ^. 



4.1 Example 

Now let us see versions of the examples mentioned in Section[TJ available in the guru-lang/ lib/ vec . g 
library file for GuRU (see www. guru -lang . org) . The desired types for vector append ("append") 
and for associativity of vector append are: 



append : V/i : nat.V/2 : nat-Hvi : (vec (j) h).Ilv2 '■ (vec /2).(vec {phis h h)) 

append-assoc : V/i : nat.V/2 '■ nat.V/3 : nat. 

rivi : (vec (p l\).Ilv2 : (vec <p 12)-TIvt, : (vec (p I3). 
(append (append vi V2) V3) = (append vi (append vj V3)) 
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rihf:(^ rihf':(^' \t\l\t'\ r\^t:a = a' F \^ f : [a / x]^ r,x : (j)' \^ t : (j) x^FV{\t\) 
rih (join? f') : \t\ = \t'\ rih {cast x.(l) 1 1') : [a'/x]^ T Ih A^x : : V;c : 0'.0 

rihf:Vx:0^^ rihf^^^ r,x : IK f : Fl^ t : Ux : (j)' .(j) rih?':0' 

rih (? : ¥\/x]<P rihAx: 0'.? :nx: Flh (? ?') : [|?'|A]<^ 

rih?" : (vec (j)' 1) 
rih? : [O/x.nil/j]^ 

rihf':V/:nat.nz:(^»'.nv: (vec0'/).nM: [//x,v/3;]0. 
[(SZ)/x,(cons z v)/j]0 

r\^{R^,,x.y4tt' t"):[l/x,\t"\/y]^ 
Figure 5: Type-computation system for annotated T^^*^ (selected rules) 

We consider now annotated inhabitants of these types. The first is the following: 

append — X^l\ : nat.A^/2 : nat.Av'i : (vec Zi).Av2 : (vec (j) h)- 
{Rvec {x.y.{vec (plus x I2))) 
(cast (x.(vec (j) x)) Pi V2) 

[X^l : nat.Ax : (j).Xv[ : (vec (j) l).Xr : (vec (j) {plus I h)))- 

(cast (x.(vec (j) x)) Po (cons x r)) 

n) 

The two cases in the /?vec term return a type-cast version of what would standardly be returned in 
an unannotated version of append. The proofs Pi and P2 used in those casts show respectively that 
h = {plus I2) and {S {plus I h)) = {plus {S I) h)- They are simple join-proofs: 

Pi = {join I2 {plus I2)) Pi = {join {S {plus 1 12)) {plus {S I) Ij)) 

Now for append-assoc, we can use the following annotated term: 

appendjissoc = A^/i : nat.A^/2 : nat.A^/3 : nat. 

Avi : (vec ^ /i).Av2 : (vec Z2)-Av3 : (vec Z3). 

(7?vec {x.y. {append {append Vi V2) V3) = {append Vi {append V2 V3))) 

(join {append {append nil V2) V3) ~ {append nil {append V2 V3))) 
{X^l : nat.Ax : (j).Xv\ : (vec (p I). 

Xr : {append {append v[ V2) V3) ~ {append v[ {append V2 V3)). 
^3)) 

The omitted proof P3 is an easy equational proof of the following type: 

{append {append (cons x v'l) V2) V3) = {append (cons x v'l) {append V2 V3)) 

5 with Large Eliminations 

Next we study an extended version of T^*^*^ with large eliminations, i.e. types defined by pattern match- 
ing on terms. This extended language no longer is normalizing under general j8 -reduction but we 
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(j) ::=... \ if Zero a ^ ^' a ::= . . . \ X.a \ a\Zi v ::=... \ X.a 

r,x:(l)'\-a:d) x ^ FV(a) F h a -.Vx : d' .d Fha'-.d)' 

; spec-abs' , , , , spec-app' 

rhX.a:yx:<p'.(j) ^ F h a n : [a' /xjip 

F\-a:^ rha : ifZeroO 0' 

77 foldZ — — — — ^—^ unfoldZ 



rha: ifZeroO0 0' Fha:^ 

ri-a:0' ri-a':nat T h a : if Zero (5 a') 0' Tha'inat 

7 folds 7— — —7 unfolds 



rha : ifZero (5a') 0' Fha:^' 

Figure 6: Types, terms, values, and typing rules for T^*^*^ with large eliminations. 



will prove that well-typed closed terms normalize under call-by-value evaluation -^y. In particular, the 
language is type safe and logically consistent. 

The additions to the language and type system are shown in figure |6] 

The type language is extended with the simplest possible form of large elimination, a type-level 
conditional if Zero which is introduced and eliminated by the fold and unfold rules. While type 
conversion and type folding/unfolding are completely implicit, we replace the spec-abs /app rules 
with new rules spec-abs ' /app' which require the place where we introduce or eliminate the V-type 
to be marked by new quasi-implicit forms X.a and a □. These forms do not mention the quantified 
variable or the term it is instantiated with, so we retain the advantages of specificational reasoning. The 
point of these forms is their evaluation behavior: [X.a) □ a, and X.a counts as a value so CBV 
evaluation will never reduce inside it. Besides this, the CBV operational semantics is standard, so we 
omit it here. 

In the language with large eliminations we no longer have normalization or type safety for ai^bitrary 
open terms. This is because the richer type system lets us make use of absurd equalities: whenever we 
have F\- a : <p and F\- p : (S a')=0, we can show F h a : 0' for any 0' by going via the intermediate type 
(if Zero 0(a.0')). In particular, this means we can show judgments like 

p : l=0\- {Xx.x x) {Xx.x x) : nat and : 1=0 h : nat. 

This is also the reason we introduce the quasi-implicit products. Using our old rule spec-abs we 
would be able to show h : Vp : 1=0. nat, despite being a stuck term in our operational semantics. 

Because of this quod libet property it is no longer convenient to prove Progress and Preservation be- 
fore Normalization. While the proof of Preservation is not hai^d. Progress as we have seen depends on the 
logical consistency of the language, which is exactly what we hope to establish through Normalization. 
To cut this circle we design an interpretation of types (figure I?]) that lets us prove type safety. Canonical 
Forms and Normalization in a single induction. 



5.1 Semantics of Equality 

We need to pick an interpretation for equality types. Since we are only interested in closed terms, this 
can be less elaborate than in section [3] Perhaps surprisingly, even though we are interested in CBV- 
evaluation of programs, we can still interpret equality as joinability 4, under unrestricted /3-reduction. 
In the interpretation we use for the program being evaluated, but whenever we talk about terms 
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G [[•]] 



a € [[nat]] 4^ 3n.a -w* n 

a G [[(vec /)]] <^ (a nil A / --^* 0) V 

3vv' n. a {cons vv') Al {S n) 
A V G [[0]] A v' G [[(vec n)]] 
ae[[Ux: 0'.0]] 4^ 3a'.a {Xx.a') A Va' G [[(/>']]. (a a') G [[KA]0]] 

a G [[V;c : f .0]] 4^ Ba'.a (Aa') A Va' G [[0']]. (a □) G [[KA](^]] v G [[a0]] a G [[F]] 

a G [[ai = ai]] 4^ a join A ai 

(aG[[0]] ifZ^-^*0 
aG[[0']] if b-^*{Sn) 
False otherwise 



aU{(x,v)}G[[r,^ :(/>]] 



Figure 7: Type interpretation a G [[0]] and context interpretation a G [[F]] for T^^'^ with large eliminations 



occuiTing in types (namely in vec, =, and R-types). The join typing rule is specified in terms of so 
when doing symbolic evaluation of programs at type checking time the type checker can use unrestricted 
reduction, which gives a powerful type system than can prove many equalities. 



5.2 Normalization to Canonical Form 

We define the interpretation [[ ]] as in figure |7] by recursion on the depth of the type (p. As we only deal 
with closed terms, the definition can be simpler than the one in section |3] The proof then proceeds much 
like the proof for open terms: 

R-Canon. If t? G [[^]], then a v for some v. Furthermore, if the top-level constructor of is nat, n, 

V, =, or vec, then v is the con^esponding introduction form. 

R-Pres. If fl G [[(j)]] and a --^v a', then a' G [[(j)]]. 

R-Prog. If a a', and a' G [[(/)]], then a G [[0]]. 

R-Join. If £?! X <^2, then a G [[[ai /x](j)^ implies a G [[[fl'2/jc]0]]. 

Theorem 6 IfV \- a: ^ and a G [[F]], then oa G 

Corollary 5 (Type Safety) Ifha-.cj), then a v. 

Corollary 6 (Logical Soundness) h a : \=Odoes not hold for any a. 



6 Conclusion and Future Work 



The T^*^*^ type theory includes intersection types and a form of equality reflection, justified by translation 
to an undecidable unannotated system. The division into annotated and unannotated systems enables 
us to reason about terms without annotations, while retaining decidable type checking. We have seen 
how this approach extends to a language including large eliminations, by introducing a novel kind of 
quasi-implicit products. The quasi-implicit products allow convenient reasoning about specificational 
data, while permitting a simple proof of normalization of closed terms. Possible future work includes 
formalizing the metatheory, and extending to a polymorphic type theory. Adding an extensional form of 
equality while retaining decidability would also be of interest, as in lITl. 
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